Anatomy of a Simple Web Token (SWT)

Simple Web Token – name says it all. It is a token, it is for web (read HTTP) and it is simple! Then, there is good old SAML token, which is XML based. If there be light, then there is darkness; if cold, heat; if height, depth… If XML, JSON; so, there is a JSON web token (JWT) as well. SAML is more SOAP-ish and SWT and JWT are REST-ish.

Naturally, SWT is a good choice for ASP.NET Web API. Using OAuth 2.0, SWT can be sent in the HTTP authentication header (bearer scheme). That topic is too big for a single blog post. So, let’s focus on just SWT and look at using SWT as a bearer token through OAuth 2.0 hopefully in a future post. There is a great open source library for OAuth 2.0 – DotNetOpenAuth but my understanding, as of the time of writing this blog post is, SWT is not supported by DotNetOpenAuth for OAuth 2.0.

Anyways, let’s get on with dissecting a SWT. Continue reading

Basic Authentication with ASP.NET Web API

Back in 2000, in one of our projects, we used XML over HTTP. We had our own protocol enforced through XSDs. At that time, I did not know that this will be called POX over HTTP. Anyways, web services – SOAP based or not, have been around for a while. ASMX once was the favorite and is now a legacy technology with WCF being the foundation of choice for any services development in Microsoft stack. WCF is cool but has SOAP affinity. Soap is not bad and I use it every day but I do hate the soap scum. RESTful services are better and WCF does support such services to be created.

For anyone who has spent some time on ASP.NET MVC, it is very natural to use action methods returning JsonResult to be consumed by the client. To do Ajax stuff, I can use WCF in the server side but if the application is already leveraging ASP.NET MVC, it is convenient to use an action method for this purpose. But such arrangement gets RPC-ish with action method, mostly a verb, being in the URL.

Enters ASP.NET Web API – a ‘framework that makes it easy to build HTTP services that reach a broad range of clients, including browsers and mobile devices. ASP.NET Web API is an ideal platform for building RESTful applications on the .NET Framework’. Cool! Looks like I have a great framework to build my services. Now, first question that comes to my mind is how to secure them. Don’t want to use anything related to SOAP. Continue reading